I am trying to implement OCSP in a DMZ, I have my Issuing PKI server in the core infastructure. I have implemented OCSP in the core infastructure but cannot do the same in the DMZ, this is because I am having issues with getting a OCSP signing certificate on the OCSP server in the DMZ. The OCSP server in the DMZ can see the Issuing CA but fails to obtain a certificate. I have also tried to use certreq to manually issue the OCSP signing certificate but this also fails. I am now stuck and I am wondering if my requirement is not a supported solution. Any help would be appreciated. John

You would need to open the firewall to allow RPC access to the CA. (or DCOM access) Look at this article by Kurt Hudson http://social.technet.microsoft.com/wiki/contents/articles/how-to-set-a-static-dcom-port-for-ad-cs.aspx Brian

So I am correct to assume that the Microsoft implimentation does not work in the same way as say CoreStreet where you would deploy a validation authority and then deploy a set of responders. In my design I had made the assumption that I needed a OCSP instance in my core infastructure and then another OCSP instance in the DMZ. The OCSP in the core infastructure would provide OSCP updates into the DMZ instance and external clients would get there updates from the OCSP instance in the DMZ. Is there a reference architecture for an MS OCSP implementation. John

Your assumptions were definitely incorrect. Here is the whitepaper that describes troubleshooting and deploying the Online Responder The Online Responder in the DMZ will need to be able to use RPCs (cannot lock down the port to the best of my knowledge) to talk to the primary Responder in the array to receive Revocation COnfiguration information. What you need to do is look at the Extranet scenario section http://download.microsoft.com/download/5/3/c/53cdc0bf-6609-4841-a7b9-cae98cc2e4a3/Installing_Configuring_and_Troubleshooting_the_Online_Responder.doc Brian <cite></cite>

Yes, this is a different architecture that does not use pre-signed and cached responses. The architecture is basically on-line with everything going to the equivalent of the validation authority in the CoreStreet (or Tumbleweed/Axway) case. The referenced white papers give you an idea. I would be happy to discuss further.